Re: 0.9.7-dev ncipher bugfixes
From: Toomas Kiisk [EMAIL PROTECTED] vix $ nfkminfo -k vix [vix@eebik vix]$ nfkminfo -k vix Key summary - 1 keys: vix AppName embedIdent b6621954138bf0e41553115f2c402ed802c1bdb1 vix vix How do I load this key with openssl? Operator card does not vix have a passphrase. I think OpenSSL isn't ready for those yet. Not totally sure. I know that nCipher has a patch to some older version (at least last I looked) patch for OpenSSL that makes it handle this type of PEM file. I've been pondering adding that kind of capability to OpenSSL, off and on, but never had time to finish pondering and start coding. I might take a look at that again unless someone else gets there before me. The ultimate goal might be to create some kind of general format similar to the nCipher embed private keys, but generalised to a form that's not specifically bound to nCipher (IIRC, there's a string embeded in that private key, among others containing the word nCipher). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL Key Generation GUI for Windows
At 12:55 27.01.2002 +, you wrote: I'm thinking of writing a small GUI application that implements just the 2 following functions of: *Create a self-signed certificate *Create a private key First, is there such an application already around (I can't find any), and secondly, would a random seed made from the current time (date, hour, minutes, seconds, ms) be okay (this would be running under Windows)? No! (regarding the random seed) Netscape has (afaik) used such a seeding (time and process id) in early versions of their browsers. The resulting keys were broken in just one or two hours with a simple PC (today it would probably just minutes). Look into the OpenSSL sources, in crypto/rand is some code for gathering entropy material under windows (iirc). Ciao, Richard Könning -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 Phone/Fax: +49-89-636-47852 / 47655 E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL conection without certificate and private key?
Hi, can I establish SSL conection without certificate and private key? I need only secure conection without authentication. I have tried this but SSL_accept return this error: (1) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher. Thanks, Petr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS12 import faulire
Hi all, I have a problem with PKCS#12 Import procedure in Netscape Navigator. During the development tasks I have created my own CA using OpenSSL, everythig went ok (Client Cert for IE and Netscape). The certification process is done only for one of the browsers (IE) and then the certificate is exported to PKCS#12 file to be imported in Netscape. The process is ok for OpenSSL Certs but no for Microsoft Certificate Server (Ouch!). When I export the cert in P12 file through IE, and check the option for add the root CA chain, the file exported is not imported correcly in Netscape. If I do not check the option the P12 is imported but It cannot be validated (Netscape do not have the CA cert installed). I have tried to import root CA via Web into the Netscape but no message is showed, no wizzard, and the Cert is not imported. Does anyone know what could be happening??. I have unpacked P12 file using openssl and everything seems to be allright. What can I do? Regards Alvaro. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS12 import faulire
Hi Alvaro, I had a similar problem with netscape. When i generated the certificates, i initialized the certificates serial number file (ca.srl) to 00 and netscape correctly exported the user certificate, but not the ca. i repeated all steps again without reseting ca.srl to 00 and then it worked. so my certificate has 01 serial number now. Best regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL Key Generation GUI for Windows
Title: RE: OpenSSL Key Generation GUI for Windows I was under the impression that on windows OpenSSL uses RAND_screen which will obtain random data from the screen and mouse events? Shouldn't you use that? - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Richard Koenning [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 7:39 AM To: [EMAIL PROTECTED] Subject: Re: OpenSSL Key Generation GUI for Windows At 12:55 27.01.2002 +, you wrote: I'm thinking of writing a small GUI application that implements just the 2 following functions of: *Create a self-signed certificate *Create a private key First, is there such an application already around (I can't find any), and secondly, would a random seed made from the current time (date, hour, minutes, seconds, ms) be okay (this would be running under Windows)? No! (regarding the random seed) Netscape has (afaik) used such a seeding (time and process id) in early versions of their browsers. The resulting keys were broken in just one or two hours with a simple PC (today it would probably just minutes). Look into the OpenSSL sources, in crypto/rand is some code for gathering entropy material under windows (iirc). Ciao, Richard Könning -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 Phone/Fax: +49-89-636-47852 / 47655 E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL Key Generation GUI for Windows
I was under the impression that on windows OpenSSL uses RAND_screen which will obtain random data from the screen and mouse events? = Shouldn't you use that? OpenSSL uses a combination of method including walking the Process and Thread tables; importing network state information; walking the memory allocation tables; reading screen data; and including data from the Windows crypto apis. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 available now!!! The Kermit Project @ Columbia University includes Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SQL DB instead of index.txt
On Sun, 27 Jan 2002, Bear Giles wrote: ... Long term, it would be best to create an abstraction layer that would allow any backend to be used. I can think of multiple common storage formats: text files, DBM files, LDAP, RDBMS. But that's definitely not a 0.9.7 task! why not use an existing database abstraction layer such as libdbi or ODBC? http://libdbi.sourceforge.net/ http://www.unixodbc.org/ -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL Key Generation GUI for Windows
At 09:09 28.01.2002 -0500, you wrote: I was under the impression that on windows OpenSSL uses RAND_screen which will obtain random data from the screen and mouse events? Shouldn't you use that? Exactly this function (in crypto/rand/rand_win.c) i had on my mind, but i was too lazy to lookup the name. Jeffrey has already described in more detail how this function gathers entropy. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 Phone/Fax: +49-89-636-47852 / 47655 E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL connection without certificate and private key?
You can use Anonymous Diffie-Hellman cipher, which is excluded from the default cipher list. But beware ... this will not stop a man-in-the-middle attack. You should look at the set cipher functions in the manual pages. G. -Original Message- From: Petr Knez [mailto:[EMAIL PROTECTED]] Sent: 28 January 2002 13:56 To: [EMAIL PROTECTED] Subject: SSL conection without certificate and private key? Hi, can I establish SSL conection without certificate and private key? I need only secure conection without authentication. I have tried this but SSL_accept return this error: (1) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher. Thanks, Petr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PKCS12 import faulire
Hello, Thanx. My problem is, I think, during IE export process, or during Microsoft Root CA generation. I cannot modify the parameters for the root CA so I cannot change or see anything. OpenSSL does not have problems, I can create CAs, and client certs... package, import... whatever you want. But, I have no idea with Microsoft. I'm thinking on sending this problem to the correct thread. I think that here, where everybody works whith Open tools, there's nothing to do whith a problem like mine. But one last question. Has the Root CA for Netscape to be created whith any restriction?. Why, and when, a root-CA cannot be imported it this browser?? Thanx again, and best regards. Alvaro. -Mensaje original- De: Aleix Conchillo [mailto:[EMAIL PROTECTED]] Enviado el: lunes, 28 de enero de 2002 15:24 Para: [EMAIL PROTECTED] Asunto: Re: PKCS12 import faulire Hi Alvaro, I had a similar problem with netscape. When i generated the certificates, i initialized the certificates serial number file (ca.srl) to 00 and netscape correctly exported the user certificate, but not the ca. i repeated all steps again without reseting ca.srl to 00 and then it worked. so my certificate has 01 serial number now. Best regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL.PM question
Thanks for the response and your suggestion was essentially what I had added to the SSL.pm module to get around the problem. I guess that my wording of the problem made it appear that I was asking the significance of the uninitiated variable, but I was really trying to understand why the SSL.pm was coded to require a proxy when in most cases a proxy is not used. Again, thanks for your great reply. Keary Suska [EMAIL PROTECTED]@openssl.org on 01/24/2002 03:14:20 PM Please respond to [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] To: OpenSSL [EMAIL PROTECTED] cc: Subject: Re: SSL.PM question on 1/23/02 7:07 PM, [EMAIL PROTECTED] purportedly said: On Wed, 23 Jan 2002 [EMAIL PROTECTED] wrote: I'm using SSLeay along with Open SSl to retrieve https pages via SSL.pm. I'm not using a proxy, but in the runtime I get the familiar unitialized variable message being displayed for a line in SSL.pm. I normally like to keep my executions clean and don't want uninit messages from coming up, so I would like to resolve this problem. I'm using 2.75 SSL.pm and the error is coming from line 363 $proxy_server =~ s|^https?://||i; First, I haven't a clue as to what this statement is doing from the syntax. I'm guessing that it is doing a pattern search but the | are throwing me off. I too see from the code that it is trying to parse HTTPS_PROXY key value from the ENV hash. I put a value into the key value, (i.e. HTTPS_PROXY) but I still get the unit message. Could someone be so kind as to tell me what the statement is doing and how I might eliminate the message. Yes, I do know that I could remove -w on the execution to suppress the message. This line is attempting a substitution -- the | characters are the regular expression delimiters (Perl is quite liberal in what characters are used in this context). The 'http' (with optional 's') and '://' are being replaced by a null string. The trailing 'i' indicates ignore case. So it is actually stripping the protocol information from the URL. The complaint is probably coming from the variable $proxy_server not being properly defined somewhere before this line, hence it cannot be bound to the substitution operator. Actually, that is not exactly the issue. Perl has no problem using the variable, that's why it is issuing a warning instead of an error. The warning message is a very common one. It means that an operation is being performed on a variable that has a currently undefined value. Since Perl doesn't initialize variables on declaration, this has to be done manually. You can search the code for where $proxy_server is declared (by a my(), local(), or our() statement), and right after it initialize it to an empty value: $proxy_server = ''; That will remove the warning message. However, you should be aware that the code may expect the value to be undefined under certain circumstances. You may want to search for a call to defined on that variable. If you find one, you should change the troublesome line of code to: $proxy_server =~ s|^https?://||i if defined $proxy_server; and *not* initialize the variable as specified above. On second thought, you should do this anyway, as it is much safer overall. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL ported to VxWorks?
Hello Ganesh,
For Vxworks you should include sys/times.h.
Vxworks doesn't have a times function,
however, Vxworks has a time function.
Also, Vxworks has random and
srandom function.
About Time_F function in apps directory,
I have not ported this directory. I have
ported only the ssl and crypto directories.
I don't think Time_F function is used in
the crypto directory (looks like it is used
only in speed.c and s_time.c in the apps
directory).
These are the files I have compiled in des directory
CLIST = \
cbc_cksm.c cbc_enc.c cfb64enc.c cfb_enc.c \
ecb3_enc.c ecb_enc.c enc_read.c enc_writ.c \
fcrypt.c ofb64enc.c ofb_enc.c pcbc_enc.c \
qud_cksm.c rand_key.c read_pwd.c rpc_enc.c set_key.c \
des_enc.c fcrypt_b.c read2pwd.c \
xcbc_enc.c \
str2key.c cfb64ede.c ofb64ede.c ede_cbcm_enc.c
Also, I have attached herewith the Vxworks changes
I did in e_os.h.
Hope that this helps.
Regards,
Prashant.
-Original Message-
From: ganesh kumar godavari [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 26, 2002 10:09 PM
To: Kumar, Prashant [BL60:437:EXCH]
Cc: [EMAIL PROTECTED]
Subject: RE: OpenSSL ported to VxWorks?
hello,
i am trying to port openssl-0.96b onto VxWorks. i found the ftime and alarm
functions missing in VxWorks.
does VxWorks have related function for ftime and alarm?. if so can u tell
me.
have u been successful in porting rand functions? i am facing some problem
as VxWorks doesn't have sys/un.h header. can u tell me the how to port
rand functions.
i am also facing some problem with des too. i am getting an error saying
des_cbc_encrypt func is declare multiple times. i looked into it but it
was defined only once. can u send me the make file for DES?
sending a copy of Time_f function that is widely used
in most of the crypto library.
double Time_F(int s)
{
double ret;
#ifdef TIMES
static struct tms tstart,tend;
if (s == START)
{
times(tstart);
return(0);
}
else
{
times(tend);
ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
return((ret == 0.0)?1e-6:ret);
}
#else /* !times() */
static struct timeb tstart,tend;
long i;
if (s == START)
{
ftime(tstart);
return(0);
}
else
{
ftime(tend);
i=(long)tend.millitm-(long)tstart.millitm;
ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
return((ret == 0.0)?1e-6:ret);
}
#endif
}
Thanks,
gkgodava
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
e_os.h
Description: Binary data
Re: SQL DB instead of index.txt
From: Marko Asplund [EMAIL PROTECTED] aspa On Sun, 27 Jan 2002, Bear Giles wrote: aspa aspa ... aspa Long term, it would be best to create an abstraction layer that aspa would allow any backend to be used. I can think of multiple aspa common storage formats: text files, DBM files, LDAP, RDBMS. But aspa that's definitely not a 0.9.7 task! aspa aspa why not use an existing database abstraction layer such as aspa libdbi or ODBC? From an OpenSSL point of view, that's uninteresting. What is interesting is to offer a layer above that, designed to handle the objects handled by OpenSSL: certificates, keys, crls,... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
About UTF8String
hello, I am using openssl-0.9.6b. I have a question. OrganizationName is PrintableString usually, but can make me UTF8Sting? Can you put DirName in issuerAltName? Thanks, Tom __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Does the crypto library support this?
I asked this question and didn't get a response, maybe I didn't ask it correctly. Please help if you can. I am looking for functions that support the Feige-Fiat-Shamir proof of identification protocol Zero-Knowledge Test/Protocol). We are working on a smartcard project. Feige-Fiat-Shamir group came up with a variation in the late 90's that was well suited for this type of technology and I need to be able to replicate it some-what on our windows systems for proof of concept. These small compact one-way functions work well and are in use all over in the smartcard industry. These particular algorithms must be available in a library somewhere. Does the SSL libraries (more importatn, the crypto library) supply such a thing? If so, where can I read about it and learn how to use it? Thanks in advance for looking at this. Scott __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SQL DB instead of index.txt
I can think of multiple common storage formats: text files, DBM files, LDAP, RDBMS. why not use an existing database abstraction layer such as libdbi or ODBC? Too abstract - queries are done with SQL statements. That's not a problem with a RDBMS backend, but requires a lot of extra code with everything else. Even if you identify a set of standard query strings and use hardcoded strcmp(), maintenance is a nightmare. All you really need is a simple api: store(), remove(), lookup(), revoke() (or update()?), maybe a few more, and a dynamic library loader. And some configuration code that allows the user to specify which dynamic library to load. (Then again, in this case it may be okay to just create a symlink from some standard name to the desired dynamic library.) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
need help with the openssl command.
Title: need help with the openssl command. Hi I got a old and a new crt file... Now I want to know if the old one really is 128bit crypto. If it's possible.. What do I type using openssl command ? // Micke
Re: SQL DB instead of index.txt
on 1/28/02 9:10 AM, [EMAIL PROTECTED] purportedly said: why not use an existing database abstraction layer such as libdbi or ODBC? Too abstract - queries are done with SQL statements. That's not a problem with a RDBMS backend, but requires a lot of extra code with everything else. Even if you identify a set of standard query strings and use hardcoded strcmp(), maintenance is a nightmare. Actually, not necessarily. As with other software that can use DB backends, simply expanding the configuration file options to include table and column names (notwithstanding connectivity parameters) will give a great amount of flexibility and at the same time liberate the details from the core code. All you really need is a simple api: store(), remove(), lookup(), revoke() (or update()?), maybe a few more, and a dynamic library loader. And some configuration code that allows the user to specify which dynamic library to load. (Then again, in this case it may be okay to just create a symlink from some standard name to the desired dynamic library.) I would imagine this is how it would be done internally in any case, whether as loadable or by a compile-time option. The issue would then be whether the openssl team would create the plugins, or leave it to third party developers. I suppose it is a quality control issue. But functionality such as I mention above will have to be incorporated into the core code or users will have to use whatever schema conventions the authors choose, or be forced to develop their own plugins. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SQL DB instead of index.txt
(Slightly OT, but it is important to anyone looking at storing these objects in a relational database.) with postgres 7.1 the 8k limit is gone anyway. Yes and no. What 7.1 added - and why I don't support older versions - is TOAST support that tells the database server that it's okay to move the user-defined type out of the main record if necessary. By default new user-defined types remain in the main record and that's still limited to 8k. Since the well-defined types (both standard and user-defined) now support this, it's fair for the casual user to say that the 8k limit is gone. But anyone working in the backend needs to deal with this issue. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
